Re: NT Compromise -- UPDATE (UDP Flood SRC=53)

["Mike Lewinski" <mike () rockynet com>]

> I NEED to figure out what this traffic is as it is what originally gave us
the
> impression it was compromised. SOURCE PORT of 53? The only thing
> I can google on this is a bit of references to Stacheldraht.

BIND has a directive that allows the source port of all queries (i.e.
recursive lookups) to be specified. It's fairly common to set it to 53. This
makes for cleaner firewall setup.

It doesn't sound like that's what you're seeing now. However, if it is a DoS
tool, it may be assuming that every firewall is going to all UDP 53 through
and that's why.

Mike



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com